I would find it very handy to be able to scan for keys based on netgroup. As such, this patch implements that feature.
This patch also changes the behavior of ssh-keyscan when a hostname does not resolve. I have changed the condition from fatal() to error() so that the scan does not quit when it runs across a bad hostname.
Created attachment 69 [details] Add -n netgroup option to ssh-keyscan and man page
hm, why can't you use ypcat/etc to produce a list and feed it to keyscan's stdin? this would be more unix like.
Created attachment 70 [details] netgroups patch against cvs
Why not add this feature to openssh. There is a system call on at least Solaris, GNU/Linux, and GNU/Hurd for this purpose.
ypcat netgroup does not give the output in a nice format. For example, suppose I have netgroups like the following: servers servers_here servers_there servers_here (fred,,) (dino,,) servers_there (barney,,) (bambam,,) If I then do "ypmatch servers netgroup", I get back "servers_here servers_there". I then have to "ypmatch servers_here netgroup; ypmatch servers_there netgroup", then parse the results "(fred,,) (dino,,) (barney,,) (bambam,,)" to pull out the server names. Yuck. Also, netgroups may not actually exist in NIS. The NIS LDAP schema (RFC 2037) and name service switch modules in recent versions of Solaris support netgroups in LDAP. If there is resistence to this patch, then perhaps a separate (more unixish) path to take would be a standalone netgroupcat(1).
A standalone netgroupcat would be very useful for other things too - I recommend that you chose this path.
Fix would be a standalone program, if anyone could be bothered writing it.
Mass change of RESOLVED bugs to CLOSED